Rubrica legale - ICT Security Maggio 2004 Autore: Daniela Rocca (SG&A) Gianluca Ramunno (Politecnico di Torino)

Transcription

1 ubrica legale - ICT Security Maggio 2004 The standardisation effort in CEN/SSS E-Sign workshop In 1999 the European Commission launched the EESSI (Euroepan Electronic Signature Standardisation Initiative) to support the European Directive 1999/93/EC on the electronic signatures. The activities were divided into two working groups: the ETSI TC-SEC ESI (now TC-ESI) and the CEN/ISSS E-Sign. These working groups, during these years, have worked actively in order to standardize the technical aspects left by the European Directive to the standardisation bodies. So, a certain number of deliverables has been approved. Some of them have been referenced on the Official Journal of the European Community. Some of them are still in itinere. Some of them are in the phase of maintenance. While the activities of ETSI TC-ESI will continue, these of CEN/ISSS E-Sign have been closed on February 2004 with the achievement of the goals. The CEN BT/WG 159 is an ad hoc working group created by CEN to deal with the maintenance of the documents delivered by the CEN/ISSS E-Sign workshop. The kick-off meeting was held on 4 th March with the following provisional conclusions. The s will be grouped in three categories: - the first attempt will be made to transpose as many s as possible (make them ENs or ISes); - for some s transferring their ownership to some de jure organization is an option; - the usage of the remaining ones will be monitored; the ones with market relevance will be transferred or transposed, the others will be allowed to lapse. The purpose of this document is to syntetize the state of art in the field of the documents delivered by CEN/SSS E-Sign workshop. For each the following details are reported: CEN ID title Publication date elation (if any) with by ETSI and/or other bodies (if any) eferences to relevant web pages for WS/E-Sign s WS/E-Sign published s: ionsystem/published+cwas/cwa+download+area.asp#es WS/E-Sign s: SEMA Technologies: DCSSI: BSI: BSI list of SSCD certified PPs: TÜV:

2 CEN/ISSS WS/E-Sign s published, approved and being published: ubrica legale - ICT Security Maggio 2004 CEN Identifier Title Publication date elated : :2004 Security equirements for Trustworthy Systems Part 1: System Security equirements Security equirements for Trustworthy Systems Part 2: Cryptographic Module for CSP Signing Operations with Backup - Protection Profile (CMCSOB-PP) Security equirements for Trustworthy Systems Part 3: Cryptographic Module for CSP Key Generation Services - Protection Profile (CMCKG- PP) June :2004, :2004, , ) Supersedes :2001 2) eferenced in Official Journal with wrong month: the reference must be corrected 1) Will supersede :2002 2) PP (v. 0.28) successfully evaluated by SEMA and certified by DCSSI (waiting for ) 3) Companion specification of :2004 (spin-off from the previous version: :2002) 4) Previous revision (2002) referenced in Official Journal: the reference must be updated after the CEN 5) There is the need to deal with some comments received during the voting and not yet taken into account; these comments are listed in WSES N 0414, an internal WS/E- Sign document 1) Will supersede :2003 2) PP (v. 0.12) not evaluated because of lack of sponsors, but updated according to the certified and after their certifications; if a sponsor were found, it can be submitted for evaluation 3) There is the need to deal with some comments received during the voting and not yet taken into account; these comments are listed in WSES N 0414, an internal WS/E- Sign document

3 ubrica legale - ICT Security Maggio 2004 CEN Identifier Title Publication date elated : : : Security equirements for Trustworthy Systems Part 4: Cryptographic Module for CSP Signing Operations - Protection Profile (CMCSO-PP) Secure Signature-Creation Devices, version 'EAL 4+' Security equirements for Signature Creation Applications General Guidelines for Electronic Signature Verification , , :2004, 14355: :2004, 14355:2004, , , ETSI T , ETSI T ETSI T , :2004, 14170:2004 1) PP (v. 0.28) successfully evaluated by SEMA and certified by DCSSI (waiting for ) 2) Companion specification of (spin-off from the previous version: :2002): same specification as without the backup function 3) Previous revision ( :2002, whose this document is a spin-off) referenced in Official Journal: the reference to this new part must be added after the CEN 4) There is the need to deal with some comments received during the voting and not yet taken into account; these comments are listed in WSES N 0414, an internal WS/E- Sign document 1) Will supersede 14169:2002 2) Three PPs successfully evaluated by TÜV and certified by BSI (Type 1, v Type 2, v Type 3, v. 1.05) 3) Some small errors were found after the certification; the version 2004 of this specification include the list of the corrections that the implementors should apply. The MS Word sources of the three PPs properly amended (v. 1.06) are already available: if a new sponsor were found, they could be submitted for a new evaluation 4) Previous revision (2002) referenced in Official Journal: the reference must be updated after the CEN 1) Will supersede 14170:2001 1) Will supersede 14171:2001

4 ubrica legale - ICT Security Maggio 2004 CEN Identifier Title Publication date elated EESSI Conformity Assessment Guidance - Part 1: General introduction : : : : : :2004 EESSI Conformity Assessment Guidance - Part 2: Certification Authority services and processes EESSI Conformity Assessment Guidance - Part 3: Trustworthy systems managing certificates for electronic signatures EESSI Conformity Assessment Guidance - Part 4: Signature-creation applications and general guidelines for electronic signature verification EESSI Conformity Assessment Guidance - Part 5: Secure signature creation devices EESSI Conformity Assessment Guidance - Part 6: Signature-creation devices supporting signatures other than qualified EESSI Conformity Assessment Guidance - Part 7: Cryptographic modules used by Certification Service Providers for signing operations and key generation services EESSI Conformity Assessment Guidance - Part 8: Time-stamping Authority services and processes Guidelines for the implementation of Secure Signature-Creation Devices , : :2004, ) Will supersede :2001 1) Will supersede :2001 1) Will supersede :2001 1) Will supersede : :2004 1) Will supersede : , :2004, ( :2004) :2004, 14170:2004 1) Will supersede 14355:2002

5 ubrica legale - ICT Security Maggio 2004 CEN Identifier Title Publication date elated Guide on the use of Electronic Signatures - Part 1:?????:2004 Legal and Technical Aspects (Area AB) ?????:2004 (Area AB) Guide on the use of Electronic Signatures - Part 2: Protection Profile for Software Signature Creation Devices Application Interface for smart cards used as Secure Signature Creation Devices - Part 1 - Basic requirements; version 1.09 rev2 Application Interface for smart cards used as Secure Signature Creation Devices - Part 2 - Additional services; version 1.03 rev : : :2004 Evidential Value of Electronic Signatures On going ) Will supersede 14365:2003 1) Will supersede 14365:2003 1) CEN WS/E-Sign expressed the preference that this will be maintained by CEN TC-224 1) CEN WS/E-Sign expressed the preference that this will be maintained by CEN TC-224

6 ubrica legale - ICT Security Maggio 2004 The following schema explains the relationship between Cen/Isss and Etsi deliverables: CEN Area AB ETSI ETSI S ETSI T ETSI T ETSI T Symbols or TS or T Area XX Abbreviations OJ PP S TS T This deliverable is a technical specification (or it will be) This deliverable is a report or a guidance This deliverable has not yet been approved (developed by the Project Team in Area XX) CEN Workshop Agreement (CEN deliverable) Official Journal (of the European Union) Protection Profile (Common Criteria) Special eport (ETSI deliverable) Technical Specification (ETSI deliverable) Technical eport (ETSI deliverable) elationship of dependency elationship of mutual dependency elationship of weak dependency Evaluated and certified PP Not evaluated nor certified PP eferenced in OJ Will be referenced in OJ The schema has been produced for the purpose of the future maintenance of the s developed by CEN/ISSS E-Sign workshop within the EESSI frame. Therefore: 1. all deliverables developed (or being...) by CEN/ISSS E-Sign workshop have been included; 2. not all deliverables developed by ETSI TC-ESI within the EESSI frame have been included in the schema: only the ones related to at least one have been included; 3. the relationships among the ETSI deliverable included in the schema have not been represented; , 14172, and are multipart s 5. the relationships among the parts of a same multipart have not been represented; 6. relationship of dependency: A B means A depends on B (if the content of B is modified, B may need to be modified accordingly); 7. relationship of weak dependency ( A B): the relationship between A and B is not strong, because at the moment no maintenance is planned for B; and have a special relationship not represented: they are the same specification one with the key backup option and the other one without. 9. many deliverables refer to S , therefore these relationships have not been represented

7 ubrica legale - ICT Security Maggio 2004 Gianluca amunno, Politecnico di Torino Daniela occa, Studio Genghini & Associati